Wa Relay
WarnAudited by ClawScan on May 10, 2026.
Overview
The skill is transparent about its WhatsApp relay purpose, but setup can copy your main agent credentials, patch your OpenClaw installation, and replace WhatsApp routing, so it needs careful review before use.
Install only if you want this multi-agent WhatsApp relay and are comfortable with the setup changes. Before running the scripts, back up your OpenClaw config and SOUL.md, review the generated config so existing bindings are not lost, consider using a separate least-privilege auth profile for the relay, and avoid the runtime patch if your OpenClaw version already includes the session-ID fix.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The relay agent may gain access to the same model-provider credentials as the main agent, increasing the impact if the relay workspace or its instructions are misused.
The setup script copies the main agent's full auth-profiles.json into the relay agent. This is disclosed and confirmation-gated, but it duplicates sensitive provider credentials into another agent rather than using a narrower credential scope.
MAIN_AUTH="$OPENCLAW_DIR/agents/main/agent/auth-profiles.json" ... cp "$MAIN_AUTH" "$RELAY_AUTH_DIR/auth-profiles.json"
Only approve this if you are comfortable sharing the main agent’s credentials with the relay agent. Prefer a least-privilege or separate provider profile for the relay, and remove the copied file if uninstalling.
This can persistently change how your OpenClaw installation validates session IDs and may affect other agents or future troubleshooting.
The setup script runs Node code to modify OpenClaw's installed dist files outside the skill directory. It creates backups and asks for confirmation, but it still patches the local runtime validator globally.
node -e "... fs.writeFileSync('${f}.bak', c); c = c.replace(old, nw); fs.writeFileSync('$f', c); ..."Prefer updating OpenClaw to a version with the upstream fix. If you use the patch, review the exact files changed, keep backups, and revert once no longer needed.
Applying the generated config without reviewing existing bindings could disrupt other routes or send all non-allowlisted WhatsApp traffic to the relay agent.
The generated setup flow encourages applying a gateway config patch that replaces existing bindings and adds a WhatsApp catch-all route to the relay agent.
- The "bindings" array REPLACES any existing bindings ... gateway config.patch with the JSON above
Manually review and merge the generated bindings with your current gateway config. Back up the existing config before applying config.patch.
A malicious sender could include prompt-like text in a WhatsApp message that the main agent sees while preparing an owner notification.
The relay intentionally forwards third-party WhatsApp content into the main agent session. This is purpose-aligned, but the forwarded text is untrusted external input.
Use the `sessions_send` tool with: - sessionKey: "agent:main:main" - message: "📩 RELAY de [sender number]: [exact message]"
Keep the owner in the approval loop and consider adding explicit main-agent instructions to treat relayed message bodies as untrusted content, not commands.
The main agent will continue following the added relay behavior until the SOUL.md change is reviewed or removed.
The setup script persistently appends relay-handling instructions to the main agent's SOUL.md. This is disclosed and aligned with the relay purpose, but it changes persistent agent behavior.
printf '\n%s\n' "$RELAY_SECTION" >> "$MAIN_SOUL"
Review the appended SOUL.md section after setup and keep a backup of the original main agent instructions.